PuppetLess talk, more rock

ALM Connect 2013

deepakgiridharagopaldeepak@puppetlabs.com@grim_radical [github twitter freenode]

Let’s talk about...

Immutabilityis great!

-- Joshua Bloch, “Effective Java”Classes should be immutable unless there's a very good reason to make them mutable....If a class cannot be made immutable, limit its mutability as much as possible.

Immutability allows for invariants, which help you reason about correctness

Immutability prevents spooky action at a distance

Immutability fosters modular, composable abstractions

(this shouldn’t be a tough sell to

developers)

That’s great for develoment, but how

about operations?

Immutability for infrastructure?Because operations is in the same boat as development

Everyone who’s got their app running on a fleet of servers has experienced spooky action at a distance

Known, good state is critical for reliable upgrades

A lack of predictability in your systemsruins automation and abstraction

The problem is that:

Systems are inherently mutable!

But ideally:

Systems should behave as though they weren’t!

façade of immutability. Immutability

façade of immutability. Immutability

-- The Joy of Clojure

façade of immutability. Immutability requires that we layer over and abstract the parts of our system that provide unrestrained mutability.

Computer systems are in many ways open systems, providing the keys to the vault if one is so inclined to grab them. But in order to foster an air of immutability in our own systems, it's of utmost importance to create a

Describe how you’d like your systems to look, and Puppet does all the hard work for you!

Example: Inquirea simple service for exposing system metrics

Example: Inquirehttp://box/inquire/disk_usage

install apachecreate apache user

create apache config filecgi script for “df -h”

correct perms for scriptstart apache

restart if config changes!

Once you’ve got a spec for your service, you can see if a given machine is up to code

• Packages:

• apache

• Users:

• apache

• Config files:

• apache’s httpd.conf

• Services:

• apache should be running

• restart if config file changes

• Data files:

• /var/www/cgi-bin/disk_usage

• executable, owned by apache

• does “df -h”

class inquire_server { package { apache: ensure => installed } user { apache: uid => 1000, shell => "/bin/false" } service { apache: ensure => running }  file { "/etc/httpd/httpd.conf": owner => root, mode => 644, source => "puppet://master-server/httpd.conf", notify => Service[apache];  "/var/www/cgi-bin/disk_usage.sh": owner => apache, mode => 755, content => "/usr/bin/df -h"; }}

class inquire_bootstrap { package { apache: ensure => installed } user { apache: uid => 1000, shell => "/bin/false" } service { apache: ensure => running }  file { "/etc/httpd/httpd.conf": owner => root, mode => 644, source => "puppet://master-server/httpd.conf", notify => Service[apache]; }} class inquire_disk_usage { include inquire_bootstrap file { "/var/www/cgi-bin/disk_usage.sh": owner => apache, mode => 755, content => "/usr/bin/df -h"; }}

class inquire_bootstrap { package { apache: ensure => installed } user { apache: uid => 1000, shell => "/bin/false" } service { apache: ensure => running }  file { "/etc/httpd/httpd.conf": owner => root, mode => 644, source => "puppet://master-server/httpd.conf", notify => Service[apache]; }} define inquiry($command) { include inquire_bootstrap file { "/var/www/cgi-bin/$name.sh": owner => apache, mode => 755, content => $command; }}

node “appserver.mydomain.com” { inquiry { "disk-usage": command => "df -h"; "processes": command => "ps aux"; "kernel-info": command => "uname -a"; }}

node “appserver1.mydomain.com” { inquiry { "disk-usage": command => "df -h"; "processes": command => "ps aux"; "kernel-info": command => "uname -a"; }}

node “appserver2.mydomain.com” { inquiry { "disk-usage": command => "df -h"; "processes": command => "ps aux"; "kernel-info": command => "uname -a"; }}

class instrumentation { inquiry { "disk-usage": command => "df -h"; "processes": command => "ps aux"; "kernel-info": command => "uname -a"; }}

node “appserver1.mydomain.com” { include instrumentation}

node “appserver2.mydomain.com” { include instrumentation}

Rich set of primitives, and make your own. Can use existing modules and abstractions, and make your own.

netmask_lo: 255.0.0.0 augeasversion: 0.10.0 fqdn: pe-debian6.localdomain manufacturer: "VMware, Inc." processorcount: "1" productname: VMware Virtual Platform physicalprocessorcount: 1 facterversion: 1.6.7 boardproductname: 440BX Desktop Reference Platform kernelmajversion: "2.6" hardwareisa: unknown timezone: PDT puppetversion: 2.7.12 (Puppet Enterprise 2.5.1) lsbdistcodename: squeeze is_virtual: "true" operatingsystemrelease: 6.0.2 virtual: vmware type: Other domain: localdomain hostname: pe-debian6 selinux: "false" kernel: Linux kernelrelease: 2.6.32-5-686

ipaddress: 172.16.245.128 processor0: Intel(R) Core(TM) i7-2635QM CPU @ 2.00GHz lsbdistrelease: 6.0.2 uniqueid: 007f0101 hardwaremodel: i686 kernelversion: 2.6.32 operatingsystem: Debian architecture: i386 lsbdistdescription: Debian GNU/Linux 6.0.2 (squeeze) lsbmajdistrelease: "6" interfaces: "eth0,lo" ipaddress_lo: 127.0.0.1 uptime_days: 0 lsbdistid: Debian rubysitedir: /opt/puppet/lib/site_ruby/1.8 rubyversion: 1.8.7 osfamily: Debian memorytotal: &id001 502.57 MB memorysize: *id001 boardmanufacturer: Intel Corporation path: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/

file { “/etc/issue”: content => “Got an issue? Here’s a tissue!”,}

file { “/etc/motd”: content => template(“Welcome to $hostname!”),}

file { "/etc/sudoers": owner => root, group => root, mode => 440, source => "puppet:///modules/sudo/sudoers"}

class ntp { package { 'ntp': ensure => installed, } service { 'ntpd': ensure => running, enable => true, subscribe => File['/etc/ntp.conf'], } file { '/etc/ntp.conf': ensure => file, require => Package['ntp'], source => "puppet:///modules/ntp/ntp.conf", } }

node “webserver.mydomain.com” { include ntp } node “appserver.mydomain.com” { include ntp }

node “database.mydomain.com” { include ntp }

class ssh {

@@sshkey { $hostname: type => dsa, key => $sshdsakey } Sshkey <<| |>>

}

Dir “/tmp/foo”

File “/tmp/foo/bar”

Dir “/tmp”

User “deepak”

Dir “/tmp/foo”

File “/tmp/foo/bar”

Dir “/tmp” User “deepak”

Dir “/tmp/foo”

File “/tmp/foo/bar”

Dir “/tmp” User “deepak”

package { 'ntp': ensure => installed, } service { 'ntpd': ensure => running, enable => true, subscribe => File['/etc/ntp.conf'], } file { '/etc/ntp.conf': ensure => file, require => Package['ntp'], source => "puppet:///modules/ntp/ntp.conf", }

package { 'ntp': ensure => installed, } service { 'ntpd': ensure => running, enable => true, subscribe => File['/etc/ntp.conf'], } file { '/etc/ntp.conf': ensure => file, require => Package['ntp'], source => "puppet:///modules/ntp/ntp.conf", }

package { 'ntp': ensure => installed, } service { 'ntpd': ensure => running, enable => true, subscribe => File['/etc/ntp.conf'], } file { '/etc/ntp.conf': ensure => file, require => Package['ntp'], source => "puppet:///modules/ntp/ntp.conf", }

package { 'ntp': ensure => installed, } service { 'ntpd': ensure => running, enable => true, subscribe => File['/etc/ntp.conf'], } file { '/etc/ntp.conf': ensure => file, require => Package['ntp'], source => "puppet:///modules/ntp/ntp.conf", }

Idempotent, and only does what’s necessary

Compensates for the inherent mutability of systems

Combats spooky action at a distance with automatic repair

Brings predictability to your systems

A foundation of predictability and reliability lets you perform higher-level operations on your infrastructure

Code all the way down

Software-defined infrastructure is...just software. Infrastructure as code is...just code.

Thus, you can treat it like the other code in your application

Scary, but liberating!

Maintaining the state of your systems is the foundation upon which everything rests

Start small, and start somewhere. :)

deepakgiridharagopaldeepak@puppetlabs.com@grim_radical [github twitter freenode]

We’re hiring!